Documentation
¶
Overview ¶
Package service provides cryptographic services for AEAD cipher management and key operations. Implements envelope encryption with support for AES-256-GCM and ChaCha20-Poly1305 algorithms.
Package service provides cryptographic services for envelope encryption. Implements AEAD ciphers (AES-256-GCM, ChaCha20-Poly1305) for KEK/DEK management.
Index ¶
- type AEAD
- type AEADManager
- type AEADManagerService
- type AESGCMCipher
- type ChaCha20Poly1305Cipher
- type KMSService
- type KeyManager
- type KeyManagerService
- func (km *KeyManagerService) CreateDek(kek *cryptoDomain.Kek, alg cryptoDomain.Algorithm) (cryptoDomain.Dek, error)
- func (km *KeyManagerService) CreateKek(masterKey *cryptoDomain.MasterKey, alg cryptoDomain.Algorithm) (cryptoDomain.Kek, error)
- func (km *KeyManagerService) DecryptDek(dek *cryptoDomain.Dek, kek *cryptoDomain.Kek) ([]byte, error)
- func (km *KeyManagerService) DecryptKek(kek *cryptoDomain.Kek, masterKey *cryptoDomain.MasterKey) ([]byte, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AEAD ¶
type AEAD interface {
// Encrypt encrypts plaintext with optional AAD and returns ciphertext and nonce.
Encrypt(plaintext, aad []byte) (ciphertext, nonce []byte, err error)
// Decrypt decrypts ciphertext using the provided nonce and AAD.
Decrypt(ciphertext, nonce, aad []byte) ([]byte, error)
}
AEAD defines the interface for Authenticated Encryption with Associated Data.
type AEADManager ¶
type AEADManager interface {
// CreateCipher creates an AEAD cipher instance for the specified algorithm.
CreateCipher(key []byte, alg cryptoDomain.Algorithm) (AEAD, error)
}
AEADManager defines the interface for creating AEAD cipher instances.
type AEADManagerService ¶
type AEADManagerService struct{}
AEADManagerService implements the AEADManager interface for creating AEAD cipher instances.
func NewAEADManager ¶
func NewAEADManager() *AEADManagerService
NewAEADManager creates a new AEADManagerService.
func (*AEADManagerService) CreateCipher ¶
func (am *AEADManagerService) CreateCipher(key []byte, alg cryptoDomain.Algorithm) (AEAD, error)
CreateCipher creates an AEAD cipher instance for the specified algorithm. Returns ErrInvalidKeySize if key is not 32 bytes or ErrUnsupportedAlgorithm if algorithm is unknown.
type AESGCMCipher ¶
type AESGCMCipher struct {
// contains filtered or unexported fields
}
AESGCMCipher implements AEAD using AES-256-GCM.
func NewAESGCM ¶
func NewAESGCM(key []byte) (*AESGCMCipher, error)
NewAESGCM creates a new AES-256-GCM cipher instance. Returns an error if key is not exactly 32 bytes.
type ChaCha20Poly1305Cipher ¶
type ChaCha20Poly1305Cipher struct {
// contains filtered or unexported fields
}
ChaCha20Poly1305Cipher implements AEAD using ChaCha20-Poly1305.
func NewChaCha20Poly1305 ¶
func NewChaCha20Poly1305(key []byte) (*ChaCha20Poly1305Cipher, error)
NewChaCha20Poly1305 creates a new ChaCha20-Poly1305 cipher instance. Returns an error if key is not exactly 32 bytes.
type KMSService ¶ added in v0.6.0
type KMSService interface {
// OpenKeeper opens a secrets.Keeper for the configured KMS provider.
// Returns an error if the KMS provider URI is invalid or connection fails.
OpenKeeper(ctx context.Context, keyURI string) (cryptoDomain.KMSKeeper, error)
}
KMSService implements domain.KMSService for KMS operations using gocloud.dev/secrets.
func NewKMSService ¶ added in v0.6.0
func NewKMSService() KMSService
NewKMSService creates a new KMS service instance.
type KeyManager ¶
type KeyManager interface {
// CreateKek creates a new KEK encrypted with the master key.
CreateKek(
masterKey *cryptoDomain.MasterKey,
alg cryptoDomain.Algorithm,
) (cryptoDomain.Kek, error)
// DecryptKek decrypts a KEK using the master key.
DecryptKek(kek *cryptoDomain.Kek, masterKey *cryptoDomain.MasterKey) ([]byte, error)
// CreateDek creates a new DEK encrypted with the KEK.
CreateDek(kek *cryptoDomain.Kek, alg cryptoDomain.Algorithm) (cryptoDomain.Dek, error)
// DecryptDek decrypts a DEK using the KEK.
DecryptDek(dek *cryptoDomain.Dek, kek *cryptoDomain.Kek) ([]byte, error)
}
KeyManager defines the interface for managing KEKs and DEKs in envelope encryption.
type KeyManagerService ¶
type KeyManagerService struct {
// contains filtered or unexported fields
}
KeyManagerService implements the KeyManager interface for envelope encryption.
func NewKeyManager ¶
func NewKeyManager(aeadManager AEADManager) *KeyManagerService
NewKeyManager creates a new KeyManagerService with the provided AEADManager.
func (*KeyManagerService) CreateDek ¶
func (km *KeyManagerService) CreateDek( kek *cryptoDomain.Kek, alg cryptoDomain.Algorithm, ) (cryptoDomain.Dek, error)
CreateDek generates a random 32-byte DEK and encrypts it with the KEK. The plaintext DEK is NOT included in the returned struct and must be derived separately.
func (*KeyManagerService) CreateKek ¶
func (km *KeyManagerService) CreateKek( masterKey *cryptoDomain.MasterKey, alg cryptoDomain.Algorithm, ) (cryptoDomain.Kek, error)
CreateKek generates a random 32-byte KEK, encrypts it with the master key, and returns the encrypted KEK. The plaintext KEK is included in the returned Kek.Key field and should be zeroed after use.
func (*KeyManagerService) DecryptDek ¶
func (km *KeyManagerService) DecryptDek( dek *cryptoDomain.Dek, kek *cryptoDomain.Kek, ) ([]byte, error)
DecryptDek decrypts a DEK using the KEK. Returns ErrDecryptionFailed if decryption fails due to wrong key or corrupted data.
func (*KeyManagerService) DecryptKek ¶
func (km *KeyManagerService) DecryptKek( kek *cryptoDomain.Kek, masterKey *cryptoDomain.MasterKey, ) ([]byte, error)
DecryptKek decrypts a KEK using the master key. Returns ErrDecryptionFailed if decryption fails due to wrong key or corrupted data.
Source Files
Directories